Re: question about oracle advisory

From: David Litchfield (david_at_ngssoftware.com)
Date: 08/07/03

  • Next message: Zero_X www.lobnan.de Team: "DoS Vulnerabilities in Crob FTP Server 2.60.1"
    To: <bugtraq@securityfocus.com>
    Date: Wed, 6 Aug 2003 16:54:00 -0700
    
    

    Hello Daymon and All,

    I have CC'd in the Oracle Security Team....

    > Do you have any plans to release proof of concept code for the Oracle
    > exploit? The reason I ask is that "due to architectural constraints,"
    > Oracle is not planning on releasing a patch for 8i releases. We contacted
    > them about this, but they're sticking to their guns about the exploit
    > requiring oracle authentication, and thus being a low(er)-risk
    > vulnerability.

    I know Oracle 9 is vulnerable and can be exploited without a user ID or
    password. I demonstrated an exploit for this problem at the European
    Blackhat Security Briefings. I know a number of the Oracle security guys
    have actually read the associated paper and are (or at least should be)
    _FULLY_ aware that this vulnerability _CAN_ be exploited without
    credentials. Oracle: let me know if you need more proof of this and I can
    send you the exploit.

    As this new bug was introduced in the patch for the problem I reported
    here - http://www.nextgenss.com/advisories/oraplsextproc.txt - and Oracle
    will not give out patches to those who are not customers, I've never had the
    opportunity to test this on 8.

    At an educated guess, however, I believe 8 will be the same as 9.

    > To quote the analyst that responded, "I'm not able to comment on David
    > Litchfield's claims, but with SECURITY ALERT 57, you need the CREATE
    LIBRARY
    > or the CREATE ANY LIBRARY privilege. The exploit is dependent on these
    > privileges, so if they are not granted to users, the exploit fails. How a
    > user could exploit these without being able to connect is difficult to
    even
    > imagine."

    The analyst should do more analysis then. It is really very simple.

    >
    > I'd like to see them put out a patch for this, but without some more proof
    > of the anonymous exploit, and motivation to fix the problem regardless of
    > "architectural constraints", I don't think they will.

    I believe the Oracle security guys know this can be done without credentials
    and if this is the case then it seems that one hand is not speaking to the
    other. If however, the Oracle security guys believe this is not exploitable
    without a userID and password then let me know. I'm more than happy to
    supply Oracle with the exploit.

    Can we get this resolved, once and for all, please.

    Thank you,
    David Litchfield


  • Next message: Zero_X www.lobnan.de Team: "DoS Vulnerabilities in Crob FTP Server 2.60.1"

    Relevant Pages

    • Re: question about oracle advisory
      ... fact I demonstrated exploit code for this vulnerability at the Blackhat ... Security Breifings in Amsterdam in the May of this year. ... do such demonstrations unless a patch is available for a problem. ... We initially informed Oracle about this issue ...
      (Bugtraq)
    • [Full-disclosure] Oracle Java OBJECT children property memory corruption
      ... Oracle has released a patch for a vulnerability in Java 6 that I reported to ...
      (Full-Disclosure)
    • Re: oracle VA/PT
      ... I have found that there are not many Oracle checks that come with nessus ... lists every free and commercial Oracle security tool I know of. ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
      (Pen-Test)
    • Re: Oracle DB Audity
      ... list of commercial oracle security scanners and related software. ... auditing file systems and listeners and database checks. ... Now you can get trustworthy commercial-grade exploits and the latest ...
      (Pen-Test)
    • [Full-disclosure] Oracle 10g DBMS_SCHEDULER SESSION_USER issue
      ... Red-Database-Security GmbH Oracle Security Advisory ... Every user with CREATE JOB privilege can switch the SESSION_USER to SYS ... executing a database job via dbms_scheduler. ... Red-Database-Security GmbH is a specialist in Oracle Security. ...
      (Full-Disclosure)